On information security outsourcing market, an important reason that firms do not want to let outside firms(usually called MSSPs-Managed Security Service Providers) to take care of their security need is that they worry about service quality MSSPs provide because they cannot monitor effort of the MSSPs. Since MSSPs action is unobservable to buyers, MSSPs can lower cost by working less hard than required in the contract and get higher profit. In the asymmetric information literature, this possible secret shirking behavior is termed as moral hazard problem. This paper considers a game theoretic economic framework to show that under information asymmetry, an optimal contract can be designed so that MSSPs will stick to their promised effort level. We also show that the optimal contract should be performance-based, i.e., payment to MSSP should base on performance of MSSP's security service period by period. For comparison, we also showed that if the moral hazard problem does not exist, the optimal contract does not depend on MSSP's performance. A contract that specifies constant payment to MSSP will be optimal. Besides these, we show that for no matter under perfect information scenario or imperfect information scenario, the higher the transaction cost is, the lower payment to MSSPs will be.